The past decade has witnessed a plague of remote exploits that can be launched by any machine on the Internet against any other machine with a given vulnerability. Some vulnerabilities, such as, buffer overruns or other violations of memory safety, typically result in the attacker completely compromising the remote host. Other vulnerabilities, such as SQL injection or cross-site scripting, often lead to the disclosure of personal information, though in some instances they can also lead to complete remote host compromise. To combat these attacks, a number of defensive techniques have been developed, such as; address space randomization, stack canaries, compartmentalized web browsers, self-certifying alerts, run-time dynamic dataflow analysis, and many others. Nevertheless, despite these advances, it seems unlikely that machine compromises can be completely eliminated; computer system defenders must expect that some small fraction of machines may become compromised, either due to insider attacks, social engineering, or the occasional more traditional vulnerability.
Over this period of time, computers have become ever more interconnected. Today it is not uncommon for organizations to run single-sign-on identity services for hundreds of thousands of users, while Internet identity services can support hundreds of millions of users. Furthermore, these identity services are being connected together through the use of federation technologies such as Security Assertion Markup Language (SAML). For instance, Security Assertion Markup Language (SAML) allows any application running on a commercial website that allows paying customers to rent/lease computers on which to run their own computer applications to recognize both the user alice@123.com according to 123.com and the user bob@ABC.com according to ABC.com and the application can then implement access checks involving these users.
Unfortunately, the ability to authenticate users and set access policies has far outpaced the ability to manage these security policies. In particular, the aggregate scale and complexity of these access policies have made identity follow-on attacks into pressing danger for many organizations. The term follow-on attack refers to any attack launched after an initial attack. An identity follow-on attack is one launched after an initial machine compromise, where the identities of users currently logged on to the initially compromised machine are leveraged to compromise additional machines. If the currently logged on users have administrative privileges on one or more other machines, such additional compromises can be trivial for the attacker. The attacker can even iterate this process of successive compromise.
The threat of identity follow-on attacks is that they magnify other dangers, allowing a single initial compromise to proliferate into a large number of compromised machines. Analysis of such threats in a single large organization containing several hundred thousand users and machines indicates that identity follow-on attacks allow the attacker who compromises almost any machine in the studied organization to compromise many other machines. Given the expectation that a small fraction of machines within the organization will be compromised, this can be an unacceptable situation because of the following pressures at work in the evolution of security configurations over time: granting additional privileges is frequently an easy way to enable some particular task, and there currently are no commonly used tools to analyze the impact of security configuration changes.
The subject matter as claimed is directed toward resolving or at the very least mitigating, one or all the problems elucidated above.